Information Technology Governance

I. Purpose. The University of North Carolina and each of the constituent institutions depend on strategic and coordinated governance and management of information technology to fulfill the University’s mission. The University’s information technology and information resource needs continually evolve as new challenges, opportunities, and technologies emerge. Consistent with the governance and oversight responsibilities of the Board of Governors, the executive and administrative responsibilities of the president and the chancellors of the constituent institutions, and the role of the boards of trustees, as described in The Code of The University of North Carolina, the Board adopts this policy delegating and allocating authorities and responsibilities concerning information technology governance within the University of North Carolina System.[1]

The purpose of this policy is to foster the efficient development and maintenance of strategically aligned information technology within known and acceptable levels of risk; to ensure an effective and consistent governance and management of information technology at each of the constituent institutions; and to encourage collaboration and shared service arrangements in areas of information technology management, where appropriate, among and between the constituent institutions and the University of North Carolina System Office (UNC System Office).

II. Definitions

A. Board of Governors” or “Board” means the Board of Governors of the University of North Carolina.

B. “Board of trustees” means a board of trustees of a constituent institution of the University of North Carolina System.

C. “Chancellor” means the administrative and executive head of a constituent institution of the University of North Carolina, as described in Section 502 of The Code.

D. “Constituent institution” means one of the 17-degree/diploma-granting institutions that comprise the University of North Carolina.

E. “Information resources” means information owned or possessed by the University, or related to business of the University, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information.

F. “Information technology (IT)” means the hardware and software resources owned, leased, or used by the University and its partners to store, process, or transmit University information. Information technology is a subset of the University’s information resources.

G. “Information technology governance” within the UNC System refers to the framework, policies, rules, standards, structures, and processes established to ensure that the University’s information technology supports the missions, goals, and objectives of the UNC System and each constituent institution; that information technology and information resources are managed in accordance with rules and policies; and that risks and threats to information technology and information resources are appropriately and effectively identified and addressed. IT governance encompasses the planning, prioritization, funding, evaluation, auditing, and security of information technology and information resources at each constituent institution and across the UNC System.

H. “Periodic” means occurring at a frequency deemed appropriate based on an on-going assessment of associated risks.

I. “President” means the chief administrative and executive officer of the University of North Carolina, as described in Section 501 of The Code, who reports to the Board of Governors. The president is responsible for executing the board’s policies directly, through the chancellors, and through the staff who report to the president.

J. “University” or “University of North Carolina System” or “UNC System” means the University of North Carolina, a body politic and corporate defined as a single public multi-campus University composed of 17 constituent institutions, the UNC System Office, and other educational, research, and public service organizations.

III. UNC System IT Governance Program Development; Principles and Guidelines

A. The president shall oversee the information technology governance program applicable to the UNC System and the constituent institutions.

B. The UNC System information technology governance program shall be developed, implemented, and maintained, subject to the president’s approval, by the UNC System’s chief information officer, who shall establish and update the program principles and guidelines on a regular basis in consultation with the UNC Chief Information Officer Council. The details of the information technology governance program shall be confidential and not considered a public record to the extent permitted by North Carolina law.

C. The information technology governance programs shall follow the UNC System requirements, which will include:

1. A defined framework or frameworks to guide the development and implementation of the governance programs; and

2. A set of principles and guidelines addressing planning, prioritization, funding, evaluation, auditing, disaster recovery, privacy, and security of information technology and information resources, risk assessments, risk management, oversight of distributed IT resources, organizational and staffing models, reporting and lines of authority, and such other areas as may be appropriate for the UNC System and the constituent institutions.

D. The chief information officer, in consultation with leadership at the UNC System Office and the constituent institutions, shall make recommendations to the president at least annually concerning collaborations, shared services arrangements, staffing structures, and additional resources needed to assure that constituent institutions are able to achieve and maintain consistent and effective information technology governance programs.

IV. Information Technology Governance Program. Each constituent institution and the UNC System Office shall establish an information technology governance program consistent with the UNC System’s information technology governance program framework and principles.

A. The chancellor, or the president in the case of the UNC System Office, shall designate the institution’s chief information officer or other member of the chancellor’s senior staff, who will be responsible to the chancellor for oversight of information technology governance at the institution and implementation of the information technology governance framework and program as required by this policy.

B. The institution’s chief information officer shall be vested with such authority as is necessary to successfully oversee the information technology governance program and ensure the establishment and proper implementation and operation of the information technology governance program framework and principles.

V. Oversight of Information Technology Governance

A. The UNC System Office chief information officer shall work with the UNC System Office finance, audit, and legal staff, and the Chief Information Officers Council, to establish the process and criteria by which each constituent institution and the UNC System Office shall demonstrate that it is operating in accordance with the UNC System’s information technology governance program. The minimum criteria will include:

1. Demonstration of a comprehensive information technology governance program that encompasses both centralized IT and distributed IT consistent with the framework, principles, and guidelines established in accordance with Part III of this policy and include:

a. A set of principles and guidelines concerning information technology matters necessary to the teaching, research, and service missions of the UNC System and the constituent institutions, including but not limited to: security and encryption standards; software standards; hardware standards; acquisition of information technology consulting and contract services; disaster recovery standards; risk management and compliance; networking; wireless technologies; and personal devices; and

b. Guidelines and priorities for decision-making for information technology that align with the University’s strategic objectives.

2. Periodic self-monitoring and external monitoring of the institution’s compliance with all principles, standards, and guidelines;

3. Periodic audits of information technology and information resource issues by qualified auditors with specialized expertise;

4. Regular information technology risk assessments;

5. Periodic consideration of information technology matters by the audit/compliance/risk management committee of the institution’s board; and

6. Effective systems of accountability to identify and correct deficiencies.

B. The Board of Governors and the board of trustees of each constituent institution shall assign responsibility for oversight of IT governance to a standing committee of the board with audit responsibility.

1. Annual audit plan. The annual audit plans of the constituent institutions shall consider, as appropriate, audit activity focused on information technology matters, based on annual risk assessments.

2. Audits. The assigned committee with responsibility for IT governance shall review and discuss audit activity relating to information technology matters, and address issues of importance in information technology governance on a regular basis at its scheduled meetings.

3. Reporting. The assigned committee with responsibility for IT governance may request information and reporting related to the institution’s IT governance program. All audit reports involving information technology governance matters will be shared with the Committee on Audit, Risk Management, and Compliance (CARMC).

VI. Other Matters

A. Effective Date. The requirements of this policy shall be effective on the date of adoption by the Board of Governors.

B. Relation to State Laws. The foregoing policies as adopted by the Board of Governors are meant to supplement, and do not purport to supplant or modify, those statutory enactments which may govern the activities of public officials.

C. Regulations and Guidelines. These policies shall be implemented and applied in accordance with such regulations and guidelines as may be adopted from time to time by the president.

*Supersedes Section 1400.1 originally entitled, “The Use of Information Technology,” adopted November 12, 2004.